When executed, the worm copies itself as the following file:
It then creates the following registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Licenses\"[MAC ADDRESS]" = "[HEXADECIMAL DATA]"
- HKEY_LOCAL_MACHINE\SOFTWARE\Google\"[MAC ADDRESS]" = "[HEXADECIMAL DATA]"
It then modifies the following file in order to hook certain file system operations:
The original above file is copied as the following file, and subsequently replaced:
Next, the worm deletes the following file:
It then modifies the following file:
Modified files are detected as W32.Wecorl!inf
The worm then attempts to download files from the following URLs:
The downloaded files are saved to the following locations:
The worm then attempts to connect to the following URL to obtain the IP address of the compromised computer:
It then attempts to connect to all computers on the local subnet on the following TCP port:
The worm spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability
The worm connects to the following URL in order to update itself:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":